Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Attackers can search easily through shortened URL services that use only 5 to 7 characters, producing a small search space, making them vulnerable to brute-force hacking, Cornell researchers discovered.

WEBINAR:On-Demand

Shortened URLs are convenient for sharing long Web addresses in email messages and through social media, but at the same time, pose a privacy hazard as the URLs produced by popular services are so short they are vulnerable to brute-force searching, a Cornell Tech research effort found.

In a paper published in April, two researchers revealed that the 5- and 6-character URLs produced by popular shortening services could be easily searched to discover sensitive documents inadvisedly shared by their owners. Attackers could scan shortened URLs at a sustained rate of 2.6 lookups every second, and would only have to pay $36,700 to rent the cloud computing time necessary to do so, co-authors Martin Georgiev and Vitaly Shmatikov stated in the report.

The lesson for users is that the obfuscation of a shortened link does not add security, Shmatikov, a professor of computer science at Cornell Tech, told eWEEK via email.

"When you share a short link, you should assume that you are sharing with everybody … whether it’s [a] OneDrive document or driving directions from your home address,” he said. “When cloud services offer users to generate a short link—like OneDrive did until recently—they should warn the users that by generating the link they are making the content public.”

Further reading

The researchers found more than 70 million URL mappings on Bit.ly and almost 24 million URL mappings on Google Maps through their technique. To study the privacy implications, the researchers focused on Microsoft's OneDrive cloud storage offering. They found that nearly 20,000 URLs linked to a file or folder on Microsoft's OneDrive or SkyDrive service. The accounts could be traversed by anyone with the shortened URL who uses a brute-force search, to discover other files on the sharer's cloud space.

Many of the accounts allowed anyone with the shortened URL to write to the folder, change a file and save it, raising concerns that attackers could embed malware into the files.

The shortening services need to make the URLs at least eight characters to make the space of all possible URLs computationally difficult to search, Shmatikov said.

"Given computing and scanning capabilities available today, eight characters or longer should be reasonably safe for now," he said.

After Georgiev and Shmatikov notified Google of the security risk, the company increased the number of characters used by the shortened URLs produced by Google Maps to at least 11. eWEEK confirmed that Google Maps currently assigns shortened URLs of 12 characters.

Microsoft, on the other hand, did not acknowledge the weaknesses, but made two changes: It removed the "shorten link" option from OneDrive and blocked the systematic enumeration of files and folders by users with a shortened link, the researchers said.

"The only change in this respect is that having discovered one shared document; it is no longer trivial to discover all other shared documents in the same account since the account traversal methodology described in the paper no longer seems to work," Shmatikov said.

Cornell Tech is a New York City-based graduate and research institution founded by Cornell University.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.